topic Re: ASA command in Network Security

ASA command

Lake — Fri, 21 Feb 2020 14:49:04 GMT

Hi Guys,

Can someone please explain to me exactly what this command mean:

access-list acl-outside extended permit tcp any4 any4

Thanks,

Lake

Re: ASA command

Seb Rupik — Wed, 22 Nov 2017 15:44:43 GMT

Hi Lake,

It is permitting any TCP protocol from any IPv4 source address to any IPv4 destination address.

Give then the name 'acl-outside' we can assume this is applied to your OUTSIDE interface, and is very permissive!

cheers,

Seb.

Re: ASA command

Lake — Wed, 22 Nov 2017 15:50:41 GMT

Does that mean that any traffic from outside can go through the firewall to any device inside our network?

Thanks,

Lake

Re: ASA command

Seb Rupik — Wed, 22 Nov 2017 16:46:34 GMT

That depends on the lines above it. If that is the first rule in the ACL, then yes, any IPv4 TCP traffic will be allowed through the interface.

Whats the output of:

sh access-list acl-outside

sh run | inc access-group

cheers,

Seb.

Re: ASA command

Lake — Wed, 22 Nov 2017 16:52:46 GMT

Here are the coutput of the commands:

sh access-list acl-outside
access-list acl-outside line 1 extended permit tcp any4 host 10.0.0.8 eq https (hitcnt=26848) 0x8805979e
access-list acl-outside line 2 extended permit udp any4 host 10.0.0.16 eq ntp (hitcnt=47) 0x6fae11cd
access-list acl-outside line 3 extended permit icmp any4 any4 echo-reply (hitcnt=0) 0xe16baeb0
access-list acl-outside line 4 extended permit icmp any4 any4 time-exceeded (hitcnt=379) 0x3c7fae32
access-list acl-outside line 5 extended permit icmp any4 any4 unreachable (hitcnt=17662) 0xe36cd89f
access-list acl-outside line 6 extended permit tcp any4 host 10.0.0.220 eq smtp (hitcnt=33439) 0xd96e39f4
access-list acl-outside line 7 extended permit tcp any4 host 10.11.11.6 eq www (hitcnt=4352) 0x59fb8383
access-list acl-outside line 8 extended permit tcp any4 host 10.11.11.6 eq https (hitcnt=411) 0x4d944572
access-list acl-outside line 9 extended permit tcp any4 host 10.11.11.5 eq ftp (hitcnt=22) 0xb3ff894f
access-list acl-outside line 10 extended permit udp any4 host 10.0.0.107 eq 1812 (hitcnt=0) 0x9f7f68d1
access-list acl-outside line 11 extended permit tcp any4 host 10.11.11.7 eq https (hitcnt=0) 0xcadb160a
access-list acl-outside line 12 extended permit tcp any4 host 10.11.11.7 eq www (hitcnt=0) 0xd0284c57
access-list acl-outside line 13 extended permit tcp any4 host 10.0.0.235 eq 8461 (hitcnt=0) 0x7872f3ad
access-list acl-outside line 14 extended permit tcp any4 host 10.0.0.186 eq https (hitcnt=527) 0x4bd18b04
access-list acl-outside line 15 extended permit tcp any host 10.0.0.220 eq smtp (hitcnt=0) 0xdbb575db
access-list acl-outside line 16 extended permit tcp any host 10.0.0.193 eq https (hitcnt=98) 0x3c452f2d
bwfw# sh run | inc access-group
access-group acl-outside in interface outside
access-group dmz-in in interface dmz

Thanks,
Lake

Re: ASA command

Seb Rupik — Wed, 22 Nov 2017 17:01:55 GMT

The ACL line you had in your original post, does not appear in that output.

What is the output from:

sh run | inc acl-outside

cheers,

Seb.

Re: ASA command

Lake — Wed, 22 Nov 2017 17:04:56 GMT

Sorry. I forgot to mention that I removed it a couple days ago. Does that mean that that command allows all tcp traffic from any ip addresses from the internet to any devices on our network?

Thanks,

Lake

Re: ASA command

Seb Rupik — Wed, 22 Nov 2017 17:08:44 GMT

Yes, it shadows every TCP rule in the ACL, essentially making their definition redundant.

cheers,

Seb.

Re: ASA command

Lake — Wed, 22 Nov 2017 17:11:46 GMT

Sorry. I am not quite sure what you mean. Does that mean that each rule is duplicated or was it opening all the ports from the internet coming in to our network?

Thanks,

Lake

Re: ASA command

Seb Rupik — Wed, 22 Nov 2017 17:30:22 GMT

Both. A shadow rule is one that provides the same functionally as an existing rule by being more broad in scope.

In your case you have multiple TCP IPv4 rules which specify destination hosts and ports. The rule which you removed provided the same permissions by allowing TCP traffic to ANY host on ANY port.

cheers,

Seb.

Re: ASA command

Lake — Wed, 22 Nov 2017 17:40:31 GMT

I take that you mean that any computer on the internet can access any devices on our network that is specifically listed on the ACL on any ports but they cannot access any other devices which are not listed in the ACL? Is that correct?

Thanks,

Lake

Re: ASA command

Seb Rupik — Wed, 22 Nov 2017 17:46:57 GMT

For a machine on the internet to access a host on your network, a static NAT rule would need to be present.

These static NAT rules are typically accompanied by a restrictive ACL to limit which ports can be reached on the inside host.

If you are only using static PAT, then you will already be defining which destination port is reachable, so an "any4 any4"rule won't cause any harm.

If this is an internal firewall with no NAT, then TCP traffic would have been able to flow freely through it.

cheers,

Seb.

Re: ASA command

Lake — Wed, 22 Nov 2017 17:58:42 GMT

Sorry again but was this rule harmful to our network given all the information I provided?

Thanks,

Lake

Re: ASA command

Seb Rupik — Wed, 22 Nov 2017 18:09:09 GMT

Is this a border firewall? We would probably need to see the NAT configuration to determine if there was a risk attached to the ACL.

As a rule of thumb, such a permissive ACL normally finds its way into production because of lazy configuration/ troubleshooting, and as such should not be present.

Re: ASA command

Lake — Wed, 22 Nov 2017 18:35:02 GMT

I have attached the NAT statements. I would be very shocked if this was a harmful ACL because we got Cisco to go over the configuration and we had a security company managing our firewall and they had access to it. Please advise.

Thanks,

Lake

Re: ASA command

Julio Carvajal — Wed, 22 Nov 2017 21:26:45 GMT

Hi,

I just checked the ACL configuration (very quickly) and I can tell you there is no need to have that ACL.

You would have that ACL only if you are troubleshooting the fw (only for a minute or so) and you want to check whether the FW is dropping a TCP connection or not but having it in production it's basically like having no firewall for TCP session (please allow any TCP session from anyone on the outside to any asset on the inside {Of course that asset needs to be advertised by NAT and you have a few of those}).

You can remove it as this is not safe @ all

Regards

Re: ASA command

Seb Rupik — Thu, 23 Nov 2017 08:15:02 GMT

Hi there,

We need to see the host addresses of the those network objects to determine if there is a specific ACE in acl-outside covering them. If there isn't then we can assume that NAT'd traffic to those hosts was permitted by the 'any4 any4' rule, and is no no longer functioning correctly.

cheers,

Seb.

Re: ASA command

Lake — Thu, 23 Nov 2017 15:06:32 GMT

Thanks a lot to everyone who helped answer my questions. I do have one more question. what does this command do: aaa authorization exec authentication-server auto-enable?

Thanks,

Lake

Re: ASA command

Seb Rupik — Thu, 23 Nov 2017 15:26:19 GMT

It is a AAA method to check if a successfully authenticated user can enter EXEC mode, and if so enter EXEC mode automatically upon login.

cheers,

Seb.

Re: ASA command

Lake — Thu, 23 Nov 2017 15:28:10 GMT

Thank you very much.